Advertising

Certainly. And for the current HBAC's model of user (groups), host
(groups), service (groups), you can tell the admin to structure their
environment and groups in such a way that they are not needed.
But the question is, if you want for the admin to be able to control
access to a website where longer URLs often need to be more restricted
than the shorter ones, what mechanism do you propose? It is not
possible to positively (for allow purposes) list only exhaustive list
of URL prefixes that should have the broader access allowed -- new
versions of the web application can introduce additional URLs into the
namespace, and the URLs are not identities like users or hosts that
FreeIPA would be aware of that that you could easily manage by putting
them to groups.
The natural way to think about access to web URLs is to say "I only
want admins to access /application/users/admin/". Which of course
means "I want to deny everyone who has otherwise access to other URLs,
except for admins".
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code